Active Directory Insights (Part 10) – DHCP and domain controllers

If you would like to read the other parts in this article series please go to:

Introduction

As the nerve center of all resources and services on your network it’s not surprising that your Active Directory domain controllers interact closely with other key services on your network. Two such services are the Dynamic Host Configuration Protocol (DHCP) service and the Domain Name System (DNS) service. The first of these services maintains your Internet Protocol (IPv4 and/or IPv6) addressing of various nodes (computers, servers, routers, etc) on your network while the second helps clients (users, applications, systems, etc) locate resources (other systems, file shares, websites, printers etc) on your network using a friendly easy-to-remember naming scheme like www.mywonderfuldomainname.com instead of the hard-to-remember 204.71.200.67 (an IPv4 address) or the even trickier to remember 2001:4860:8006::69 (an IPv6 address).

But while Active Directory needs to coordinate many of its activities with the DNS and DHCP services on your network, those services also need to be robust and self-standing and in large organizations they are often managed separately from Active Directory to ensure their reliability. This present article examines some of the various issues concerning how DHCP services interoperates and interacts with Active Directory directory services on domain controllers.

Running the DHCP Server role on a domain controller

Can the DHCP Server role be installed on your domain controllers the way the DNS Server role typically is done? And if it can be done, is it a good idea to do so?

The short answer is that yes you can run all three roles (Active Directory Domain Services, DNS and DHCP) on the same server without any problems. However there is one gotcha you need to be aware of if you plan on installing the DHCP Server role on your domain controllers and that is that there is some additional configuration you will need to perform regarding the credentials that the DHCP Server service will use when it needs to perform DNS registrations on behalf of DHCP clients on your network. The authoritative guidance on this is provided in Microsoft Support article KB282001 but the information provided there is dated and somewhat obscure making it difficult to understand. A much better explanation of the underlying issue and how to address it is provided by Karam Masri, a Microsoft Premier Field Engineer in the United Arab Emirates, in his TechNet blog post titled DHCP Server in DCs and DNS Registrations and I strongly recommend that you read this article if you plan on running the DHCP Server role on any of your domain controllers. Other articles you will also probably want to read on TechNet concerning this matter is the one titled Eliminate manual updates of DNS records by configuring dynamic update and secure dynamic update and another titled DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

This doesn’t address however my second question, namely whether it’s a good idea to run the DHCP Server role on domain controllers. In general my answer is that except for test environments it’s not a good idea to do this. My reasoning is basically that it’s easier to harden and patch servers when roles are distributed among them instead of integrated upon them. If you have multiple server roles installed on one server system (physical or virtual) then the Group Policies for hardening these servers will be complex and some of the policy settings may conflict. For example, you might find that a certain policy should be set one way to harden one of the roles on the box but a different way to harden a different role. Secondly, the more roles you install on a server the more patches will need to be applied to the machine which makes it more likely that a buggy patch will cause problems for multiple network services instead of only one network service. This also usually makes it more difficult to identity, debug and fix the problem caused by the buggy patch. So in general I favor as much separation of roles as possible among the servers on your network, and with virtualization this becomes simple to implement with no extra cost–just spin up more virtual machines for the various server roles you need to deploy.

Running a domain controller as a DHCP client

The opposite scenario from what we considered above is whether a domain controller itself can have its IP address dynamically assigned by a DHCP server somewhere on your network. Can a domain controller be a DHCP client? And is it a good idea to do so?

First off let me say that very few customers that I have heard about have ever tried doing this kind of thing in their production environment. While many server roles including DHCP Server, DNS Server and WINS Server require that you specify a static IP address for the server during the process of installing the role, the domain controller (AD DS) role doesn’t require this. So you could create DHCP reservations on your DHCP server and use these to dynamically provide the same IP addresses to your domain controllers each time they need to reboot, for example after applying a patch or undergoing some other kind of maintenance. However there is a clear risk involved in following this approach because if a domain controller reboots and for any reason whatsoever it is unable to communicate with the DHCP server to obtain an IP address, the domain controller will be unable to provide directory services to clients at its site.

As far as authoritative guidance from Microsoft is concerned regarding this issue, the TechNet article titled Install and Configure the Domain Controller which is dated from the Windows Server 2003 era probably still applies (since Microsoft doesn’t always update all their documentation) and states the following: “The wizard will notify you that the computer has a dynamically assigned IP address. Typically you would not assign a dynamic IP address to a domain controller. However, this configuration is acceptable for this simple network in which the router is used as the DHCP server.” So provided your network setup is simple, it may be acceptable to assign your domain controller IP address dynamically using DHCP.

But there is also some good non-authoritative (not Microsoft official) guidance on this issue out there as this topic has gained renewed interest with the development of cloud computing. For example, this Quora discussion thread talks about this issue in the context of running domain controllers in Amazon Web Services (AWS). Similarly, this TechNet Wiki article addresses a similar scenario for domain controllers running in Microsoft Azure Infrastructure as a Service (IaaS) clouds.

Still got questions about Active Directory?

If you have any questions about domain controller hardware planning, the best place to ask them is the Active Directory Domain Services forum on TechNet. If you don’t get help that you need there, you can try sending your question to [email protected] so we can publish it in the Ask Our Readers section of our newsletter and see whether any of the almost 100,000 IT pro subscribers of our newsletter have any suggestions concerning your problem.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top